debsecan

List vulnerable installed packages on the current host

$ debsecan

$ debsecan --suite [release_code_name]

$ debsecan --suite [release_code_name] --only-fixed

$ debsecan --suite [sid] --only-fixed --format [report] --mailto [root] --update-history

$ sudo apt upgrade $(debsecan --only-fixed --format [packages])

debsecan [options]

--format {format}
    Specifies the output format (e.g., plain, json, html). Defaults to plain.

--only-fixed
    Only show vulnerabilities for which a fix is available.

--source {source}
    Specifies the source list to use.

--cve {CVE_ID}
    Filters by the specified CVE ID.

--ignore {file}
    Ignore vulnerabilities listed in the specified file.

--severity {severity}
    Filter by a minimal severity (e.g. critical, high, medium, low).

--package {package_name}
    Filter by a specific package name.

--no-color
    Disable colored output.

--help
    Display help message.

--version
    Show version information.

--exit-code
    Returns a non-zero exit code when vulnerabilities are found

debsecan is a command-line tool designed to scan installed Debian packages for security vulnerabilities. It leverages the Debian Security Tracker database to identify packages with known issues and provides a report of potential security problems. The tool aims to help administrators quickly identify and address security risks within their Debian-based systems.

Debsecan works by comparing the installed package versions on the system against the information in the Debian Security Tracker. It reports vulnerabilities based on the version of the packages currently installed. This approach provides a realistic assessment of the system's security posture.

The tool is especially valuable for automated security audits and continuous integration/continuous deployment (CI/CD) pipelines. Administrators can incorporate debsecan into their security routines to ensure that systems are regularly checked for vulnerabilities and that appropriate remediation steps are taken promptly. It is easy to use and requires minimal configuration which makes it accessible to both novice and experienced users.

Debsecan relies on the Debian Security Tracker database. Its accuracy depends on how up-to-date and complete the information in the database is. False positives or negatives may occur if the database is not fully synchronized with the system's package versions or if vulnerabilities are not yet reported.

The exit code of debsecan is 0 if no vulnerabilities are found. If '--exit-code' is provided and vulnerabilities are found, the exit code will be non-zero (typically 1).

debsecan typically requires minimal configuration. However, the location of the Debian Security Tracker data and the list of sources can be configured using command-line options.

debsecan was developed to simplify security auditing on Debian systems. It provides a straightforward method for identifying vulnerabilities, reducing the manual effort required for security checks. The tool has become a popular choice for administrators and security professionals who seek an efficient and reliable way to assess the security of Debian-based systems.

apt(8), dpkg(1)